Subject: [ASA-201609-28] lib32-openssl: denial of service Arch Linux Security Advisory ASA-201609-28 ========================================== Severity: Medium Date : 2016-09-27 CVE-ID : CVE-2016-7052 Package : lib32-openssl Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-34 Summary ======= The package lib32-openssl before version 1:1.0.2.j-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1:1.0.2.j-1. # pacman -Syu "lib32-openssl>=1:1.0.2.j-1" The problem has been fixed upstream in version 1.0.2.j. Workaround ========== None. Description =========== A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 but was omitted from OpenSSL 1.0.2i. As a result any attempt to use CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and Thomas Jakobi. Impact ====== A remote attacker is able to perform a denial of service attack by using a certificate revocation list. References ========== https://www.openssl.org/news/secadv/20160926.txt https://security.archlinux.org/CVE-2016-7052